Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


VirtualProtect

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Polynomial
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 524
Location: Inside the Intel CET shadow stack
PostPosted: Sat Feb 06, 2010 9:44 am    Post subject: VirtualProtect Reply with quote
I'm working on some code to help secure released .NET applications against disassembly. I'm already using smartassembly for obfuscation and modification protection. I've also implemented tests to make sure the binary is signed, as well as checks using RSA to make sure that the binary remains unmodified.

What I want to do is implement some (albeit primitive) protection routines to make it a little harder for casual debuggers to crack. I've read good things about VirtualProtect, but can't find any samples that would protect the code region of the process in-memory. For a start, I don't know how to find the pointer to the start of the code section, let alone how to identify a code section at runtime.

Another question: would calling IsDebuggerPresent work at all with a .NET process? I know it can be patched simply using something like OllyDbg, but it's another thing for the person to think about.
_________________
It's not fun unless every exploit mitigation is enabled.
Please do not reply to my posts with LLM-generated slop; I consider it to be an insult to my time.
Back to top
View user's profile Send private message
iPromise
Grandmaster Cheater
Reputation: -1

Joined: 27 Jun 2009
Posts: 529
Location: Canada
PostPosted: Sat Feb 06, 2010 10:31 am    Post subject: Reply with quote
heres a example

Code:

DWORD oldProtect;
VirtualProtect((LPVOID) Address, PAGE_EXECUTE_READWRITE, &oldProtect);


dont use PAGE_EXECUTE_READWRITE, its just a example.
Back to top
View user's profile Send private message MSN Messenger
Polynomial
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 524
Location: Inside the Intel CET shadow stack
PostPosted: Sat Feb 06, 2010 4:04 pm    Post subject: Reply with quote
I know how to call the API, just not how to determine the address I want to protect. I want to run VirtualProtect all the way over my code section in-memory so that modifications are made more difficult.
_________________
It's not fun unless every exploit mitigation is enabled.
Please do not reply to my posts with LLM-generated slop; I consider it to be an insult to my time.
Back to top
View user's profile Send private message
iPromise
Grandmaster Cheater
Reputation: -1

Joined: 27 Jun 2009
Posts: 529
Location: Canada
PostPosted: Sat Feb 06, 2010 4:19 pm    Post subject: Reply with quote
use virtualquery() to find your regions, if your looking for MEM_PRIVATE pages, you can specify that and protect those addies.

example

Code:

MEMORY_BASIC_INFORMATION mbi;
DWORD min = 0x00400000;
DWORD max = 0x7FFFFFFF;
SIZE_T s;
DWORD old;

for (DWORD i = min; i <= max; i++)
{
s = VirtualQuery((LPCVOID) i, &mbi, sizeof(mbi));

if (mbi.Type == MEM_PRIVATE)
{
VirtualProtect(i, 4, PAGE_EXECUTE_READWRITE, &old);
}
else
{
i = (DWORD) (mbi.BaseAddress + mbi.RegionSize) // get out of the region if its not a private one
}
}


+rep me if im helping u
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites